The Hacker News — Cyber Security, Hacking, Technology News

Another day, another data breach. This time Amazon-owned grocery chain has fallen victim to a credit card security breach.

Whole Foods Market—acquired by Amazon for $13.7 billion in late August—disclosed Thursday that hackers were able to gain unauthorized access to credit card information for its customers who made purchases at certain venues like taprooms and full table-service restaurants located within some stores.

Whole Foods Market has around 500 stores in the United States, United Kingdom, and Canada.

The company did not disclose details about the targeted locations or the total number of customers affected by the breach, but it did mention that hackers targeted some of its point-of-sale (POS) terminals in an attempt to steal customer data, including credit details.

The company also said people who only shopped for groceries at Whole Foods were not affected, neither the hackers were able to access Amazon transactions in the security breach.

Instead, only certain venues such as taprooms and table-service restaurants located within its stores—which use a separate POS system—were impacted.

Whole Foods Market has hired a cybersecurity firm to help it investigate the credit card breach and contacted law enforcement authorities of this incident.

"When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cybersecurity forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue," Whole Foods said in a statement on its website.

The company is also encouraging its customers to closely monitor their credit card statements and "report any unauthorized charges to the issuing bank."

According to Whole Foods Market, none of the affected systems being investigated are, in any way, connected to Amazon.com systems.

Whole Foods Market has become the latest of the victim of the high-profile cyber attack. Earlier this month, Global tax and auditing firm Deloitte suffered a cyber attack that resulted in the theft of private emails and documents of some of its clients.

Also last week, the U.S. Securities and Exchange Commission (SEC) also disclosed that unknown hackers managed to hack its financial document filing system and illegally profited from the stolen information.

Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report.

UpGuard cyber risk analyst Chris Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.

The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors.

Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.

Master Credentials to a Highly-Protected Pentagon System were Exposed

Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo reports.

The sensitive files have since been secured and were likely hidden from those who didn't know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.

"In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level," Vickery says.

Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM).

Both NGA and Booz Allen are Investigating the Blunder

The NGA is now investigating this security blunder.

"We immediately revoked the affected credentials when we first learned of the potential vulnerability," the NGA said in a statement. "NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."

However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.

"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," a Booz Allen spokesperson told Gizmodo.

"We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."

Booz Allen Hamilton is the same consulting firm that employed whistleblower Edward Snowden when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once described as "the world’s most profitable spy organisation."

The major internet outage across the United States earlier this week was not due to any virus or malware or state-sponsored cyber attack, rather it was the result of a simple TYPO.

Amazon on Thursday admitted that an incorrectly typed command during a routine debugging of the company's billing system caused the 5-hour-long outage of some Amazon Web Services (AWS) servers on Tuesday.

The issue caused tens of thousands of websites and services to become completely unavailable, while others show broken images and links, which left online users around the world confused.

The sites and services affected by the disruption include Quora, Slack, Medium, Giphy, Trello, Splitwise, Soundcloud, and IFTTT, among a ton of others.

Here's What Happened:

On Tuesday morning, members of Amazon Simple Storage Service (S3) team were debugging the S3 cloud-storage billing system.

As part of the process, the team needed to take a few billing servers offline, but unfortunately, it ended up taking down a large set of servers.

"Unfortunately, one of the inputs to the command was entered incorrectly, and a larger set of servers was removed than intended," Amazon said. "The servers that were inadvertently removed supported two other S3 subsystems." …Whoops.

As for why it took longer than expected to restart certain services, Amazon says that some of its servers have not been restarted in "many years."

Since the S3 system has experienced massive growth over the last several years, "the process of restarting these services and running the necessary safety checks to validate the integrity of the metadata took longer than expected."

The company apologized for the inconvenience faced by its customers and promised that it will be putting new safeguards in place.

Amazon said the company is making "several changes" as a result of this incident, including steps to prevent an incorrect input from triggering such problems in the future.

The typo that caused the internet outage this week also knocked out the AWS Service Health Dashboard, so the company had to use its Twitter account to keep customers updated on the incident.

Due to this, Amazon is also changing the administration console for the AWS Service Health Dashboard, so that it can run across multiple regions.

Arkansas police are seeking help from e-commerce giant Amazon for data that may have been recorded on its Echo device belonging to a suspect in a murder case, bringing the conflict into the realm of the Internet of Things.

Amazon Echo is a voice-activated smart home speaker capable of controlling several smart devices by integrating it with a variety of home automation hubs. It can do tasks like play music, make to-do lists, set alarms, and also provide real-time information such as weather and traffic.

As first reported by The Information, authorities in Bentonville have issued a warrant for Amazon to hand over audio or records from an Echo device belonging to James Andrew Bates in the hope that they'll aid in uncovering additional details about the murder of Victor Collins.

Just like Apple refused the FBI to help them unlock iPhone belonging to one of the San Bernardino terrorists, Amazon also declined to give police any of the information that the Echo logged on its servers.

Collins died on November 21 last year while visiting the house of Bates, his friend from work, in Bentonville, Arkansas. The next morning, Collins' dead body was discovered in a hot tub, and Bates was charged with first-degree murder.

As part of the investigation, authorities seized an Amazon Echo device belonging to Bates, among other internet-connected devices in his home, including a water meter, a Nest thermostat, and a Honeywell alarm system.

Always-ON Listening Feature

Echo typically sits in an idle state with its microphones constantly listening for the "wake" command like "Alexa" or "Amazon" before it begins recording and sending data to Amazon's servers.

However, due to its always-on feature, it's usual for the Echo to activate by mistake and grab snippets of audio that users may not have known was being recorded.

Some of those voice commands are not stored locally on Echo but are instead logged onto Amazon's servers.

Presumably, the authorities believe that those audio records that the Echo device might have picked up the night of the incident and uploaded to Amazon servers could contain evidence related to the case under investigation.

Amazon Refused (Twice) to Hand over its User's Data

Amazon, however, denied providing any data that the authorities need. Here's what a spokesperson for the company told CNBC:

"Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course."

While the online retail giant has twice refused to serve police the Echo data logged on its servers, Amazon did provide Bates' account information and purchase history.

The police said they were able to extract data from Echo, though it's uncertain what they were able to uncover and how useful that data would be in their investigation.

According to court records, Bates' smart water meter shows that his home ran 140 gallons of water between 1 AM and 3 AM the night Collins was found dead in Bates' hot tub. The prosecution claims that the water was used to wash away evidence after he killed Collins.

Should Amazon Share the Data or Not?

The authorities in the Collins murder case are asking for data on Amazon's servers that could help bring a criminal to justice. If so, authorities should get access to it.

In the case of Apple vs. FBI, Apple was forced to write a backdoor software that could bypass the security mechanism built into its iPhone, while the company already handed over the data stored on its server.

The broader takeaway: IoT devices automating your habits at home could be used for or against you, legally.

The Collins murder case appears to be a first-of-its-kind, and we are very much sure to see more such cases in the future.

It will be interesting to see how the companies that make smart home devices would serve its customers while maintaining a balance between keeping their customers' privacy safe and aiding the process of justice.

Hackers claiming affiliation with the hacktivist group "Anonymous" have allegedly leaked more than 13,000 username and password combinations for some of the worlds most popular websites, including Amazon, Xbox Live and Playstation Network.

The stolen personal information was released in a massive text document posted to the Internet file-sharing website Ghostbin (now deleted), on Friday. The document contains a huge number of usernames and passwords, along with credit card numbers and expiration dates.

The news came just a day after the hacker group Lizard Squad compromised Sony’s Playstation and Microsoft’s Xbox Live gaming networks on Christmas day, which is estimated to have affected Xbox's 48 million subscribers and PlayStation's 110 million users, making it a total of more than 150 million users worldwide.

However, data breach of 13,000 users is not the biggest data breach we've ever seen. When millions of passwords are used for sites around the globe, chances are very minor that our’s among those compromised. But still it’s important to note as these accounts come from a variety of online sources and among those, some are really very popular.

The Daily Dot's Aaron Sankin has compiled a comprehensive list of sites associated with the username and password leaks, and discovered that the leaks came from the sites run the gamut from pornography to gaming to online shopping. The list of the compromised websites is as follows:

Just to be on a safer side, users are recommended to change their passwords if they have accounts on these compromised websites, and also pay attention to your credit card transactions and if any suspicious activity found, immediately communicate with related banks and financial institutions.

Also, don't use the same passwords for banking and online shopping sites, and always keep an eye out for unusual activities or unauthorized purchases with your accounts.

U.S. has the top Security Agencies like NSA, FBI to tackle cyber crime and terrorism with their high profile surveillance technologies, but even after that U.S is proudly hosting 44% of the entire cloud based malware distribution.

With the enhancement in Internet technology, Cloud computing has shown the possibility of existence and now has become an essential gradient for any Internet Identity.

Cloud services are designed in such a way that it is easy to maintain, use, configure and can be scaled depending upon the requirement of the service being provided using the CLOUD technology with cost effective manner.

Due to the Easy and Cost effective alternative of traditional computing, Malware writers are using the big cloud hosting platforms to quickly and effectively serve malware to Internet users, allowing them to bypass detection and geographic blacklisting by serving from a trusted provider.

Hiding behind trusted domains and names is not something new. According to recently published SERT Q4 2013 Threat Intelligence Report, the malware distributors are using Cloud Services from Amazon, GoDaddy and Google like a legitimate customer, allowing them to infect millions of computers and vast numbers of enterprise systems.

The Cloud-based hosting services let malware distributors to avoid the detection because repeatedly changes IP addresses and domain names to avoid detection. Amazon and GoDaddy were identified as the top malware-hosting providers, with a 16 percent and a 14 percent share, respectively.

Major Additional findings include:

United States hosts 4.6 times more malware than the next leading country.

The SERT Research team collected a large number of samples from more than 12,000 Registrars, 22,000 ISPs (Internet Service Providers) and tested all malicious packages with more than 40 antivirus engines, output of which is concluded below:

The majority of the top malware sites is domains commonly associated with the Potentially Unwanted Applications (PUA), more commonly known as adware, type of malware distributions.

"Researchers found that a significant portion of the malware sampled consisted of Microsoft Windows 32-bit Portable Executable (PE32) files being used to distribute pay-per-install applications known as potentially unwanted applications (PUAs)."

The report claimed that these malware is undetectable from over 40 anti-virus engines, that can act as a gateway for exploits and more than half of malware found being distributed by HTML web pages.